diff options
| author | keramida <keramida@FreeBSD.org> | 2007-04-10 16:42:14 +0000 |
|---|---|---|
| committer | keramida <keramida@FreeBSD.org> | 2007-04-10 16:42:14 +0000 |
| commit | 9de00d802e8f251b8cc85316e0b13c89ca7b283b (patch) | |
| tree | 661a7cc9dd4e0dd6ed1d68988851413c696de539 | |
| parent | 922d6e13fa2f0f3f7fdb5aa9e7c14de9aa802970 (diff) | |
| download | FreeBSD-src-9de00d802e8f251b8cc85316e0b13c89ca7b283b.zip FreeBSD-src-9de00d802e8f251b8cc85316e0b13c89ca7b283b.tar.gz | |
Add a pfsync_syncpeer option to /etc/defaults/rc.conf and rc.conf(5),
which can be used to turn off multicast pfsync support, and enable
the transmission of directed PFSYNC (IP protocol: 240) packets to
a specific "sync peer" host.
PR: conf/111225
Submitted by: Bas van Beek <bas@tobin.nl>
Approved by: mtm, mlaier
MFC after: 2 weeks
| -rw-r--r-- | etc/defaults/rc.conf | 1 | ||||
| -rw-r--r-- | etc/rc.d/pfsync | 7 | ||||
| -rw-r--r-- | share/man/man5/rc.conf.5 | 20 |
3 files changed, 27 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index af35675..e2aa99b 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -156,6 +156,7 @@ pflog_program="/sbin/pflogd" # where the pflogd program lives pflog_flags="" # additional flags for pflogd pfsync_enable="NO" # Expose pf state to other hosts for syncing pfsync_syncdev="" # Interface for pfsync to work through +pfsync_syncpeer="" # IP address of pfsync peer host pfsync_ifconfig="" # Additional options to ifconfig(8) for pfsync tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. diff --git a/etc/rc.d/pfsync b/etc/rc.d/pfsync index 72a22b5..8be8928 100644 --- a/etc/rc.d/pfsync +++ b/etc/rc.d/pfsync @@ -36,8 +36,13 @@ pfsync_prestart() pfsync_start() { + local _syncpeer + echo "Enabling pfsync." - ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up + if [ -n "${pfsync_syncpeer}" ]; then + _syncpeer="syncpeer ${pfsync_syncpeer}" + fi + ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up } pfsync_stop() diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 3caf681..bd80de0 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -855,6 +855,26 @@ It must be set accordingly if .Va pfsync_enable is set to .Dq Li YES . +.It Va pfsync_syncpeer +.Pq Vt str +Empty by default. +This variable is optional. +By default, state change messages are sent out on the synchronisation +interface using IP multicast packets. +The protocol is IP protocol 240, PFSYNC, and the multicast group used is +224.0.0.240. +When a peer address is specified using the +.Va pfsync_syncpeer +option, the peer address is used as a destination for the pfsync +traffic, and the traffic can then be protected using +.Xr ipsec 4 . +See the +.Xr pfsync 4 +manpage for more details about using +.Xr ipsec 4 +with +.Xr pfsync 4 +interfaces. .It Va pfsync_ifconfig .Pq Vt str Empty by default. |
